Search This Blog

Showing posts with label Exploits. Show all posts

Researcher Demonstrated How Tesla Key Card Feature Can be Exploited to Steal Cars

 

A researcher demonstrated how a Tesla key card functionality launched last year might be misused to add an unauthorised key that enables an attacker to access and start a vehicle. 

Martin Herfurt, an Austria-based member of the Trifinite research group that specialises in Bluetooth security, conducted the study. Herfurt's research focused on key card access modifications made by Tesla in August 2021, which removed the necessity for customers to place the key card on the central console after using it to open the vehicle. 

The researcher discovered that when a Tesla is opened through NFC using the key card, there is a 130-second window during which an attacker within the Bluetooth range of the targeted vehicle may add their own key. The attack exploits Tesla's VCSEC protocol, which manages communication between the automobile, the phone app, and the key fob. 

Findings by the researcher: 

During such an assault, the infotainment system makes no attempt to warn the victim that a new key has been inserted. According to the researcher, he tried the attack on the Tesla Model 3 and Model Y, but he believes it should also work on the newer Model S and Model X. At the recent Pwn2Own 2022 hacking competition, hackers won $75,000 for an attack targeting Tesla's infotainment system. Herfurt intended to show off his attack at Pwn2Own, but relay attacks were not permitted. 

In reality, he claimed to have identified the authorisation timer attack vector in September 2021 but had been keeping it for Pwn2Own. The researcher stated that he did not inform Tesla about his recent findings before revealing them since he considered the company needed to be aware of the problem. 
Following his disclosure, he received confirmation from others who reported a very issue to Tesla months ago that Tesla was aware of the vulnerability. 

According to the researcher, Tesla recommends using the PIN2Drive function, which requires customers to input a PIN before driving away, but he produced a video last week demonstrating how an attacker may overcome PIN2Drive. Tesla is yet to react to a comment request.

Herfurt is working on TeslaKee, a new smartphone application that is said to safeguard Tesla vehicles from these sorts of relay attacks. Herfurt demonstrated another approach to stealing a Tesla in May. The attacker utilised two Raspberry Pi devices to relay the radio signal between the Phone Key and an automobile over a considerable distance.

CVE-2021-26084: Critical Atlassian Confluence Flaw Exploited in the Wild

Atlassian has confirmed that malicious actors are actively exploiting a new Atlassian Confluence zero-day vulnerability tracked as CVE-2022-26134, designed to install web shells with no fix available at this time. 

Atlassian released a security advisory in which it has stated that CVE-2022-26134 is a critical unauthenticated, remote code execution vulnerability that is compromising Confluence Server (7.18.0 ) and Data Center(7.4.0). 

It said that all versions of Atlassian's corporate Wiki system, Confluence are hit by a serious bug under active exploitation. Experts indicate a possibility of Chinese threat actors being behind the attack. 

“Atlassian has been made aware of current active exploitation of a critical severity unauthenticated remote code execution vulnerability in Confluence Data Center and Server. Further details about the vulnerability are being withheld until a fix is available.” reads the advisory published by the company. 

As of now, there are no patches available for this vulnerability, thus Atlassian suggested its customers make their servers inaccessible by following these steps  restricting Confluence Server and Data Center instances from the internet and Disabling Confluence Server and Data Center instances.

The attack was reported by security firm Volexity, the company announced the availability of the security fixes for supported versions of Confluence within 24 hours (estimated time, by EOD June 3 PDT). It has been further noted that organizations that are using Atlassian Cloud (accessible via atlassian.net) are safe from this vulnerability. 

“After successfully exploiting the Confluence Server systems, the attacker immediately deployed an in-memory copy of the BEHINDER implant. This is an ever-popular web server implant with source code available on GitHub. BEHINDER provides very powerful capabilities to attackers, including memory-only webshells and built-in support for interaction with Meterpreter and Cobalt Strike…” reads the analysis published by Volexity.

“… As previously noted, this method of deployment has significant advantages by not writing files to disk. At the same time, it does not allow persistence, which means a reboot or service restart will wipe it out. Once BEHINDER was deployed, the attacker used the in-memory webshell to deploy two additional webshells to disk: CHINA CHOPPER and a custom file upload shell.”

Researchers: Tesla Cars, Bluetooth Locks, Vulnerable to Hackers

 

Hackers can remotely unlock millions of digital locks around the world, including those on Tesla cars, due to a flaw in Bluetooth technology, according to a cybersecurity firm. 

NCC Group researcher Sultan Qasim Khan was able to open and then drive a Tesla using a small relay device tied to a laptop, which spanned a wide gap between the Tesla and the Tesla owner's phone, according to a video shared with Reuters.

"This proves that any product relying on a trusted BLE connection is vulnerable to attacks even from the other side of the world," the UK-based firm said in a statement, referring to the Bluetooth Low Energy (BLE) protocol - technology used in millions of cars and smart locks which automatically open when in close proximity to an authorised device. 

Although Khan demonstrated the hack on a Tesla Model Y from 2021, NCC NSE 0.23 percent Group claims that any smart lock that uses BLE technology, including residential smart locks, may be unlocked in the same way. A request for comment from Tesla was not immediately returned. 

"In effect, systems that people rely on to guard their cars, homes, and private data are using Bluetooth proximity authentication mechanisms that can be easily broken with cheap off-the-shelf hardware," the firm stated. "This research illustrates the danger of using technologies for reasons other than their intended purpose, especially when security issues are involved". 

According to the NCC Group, such a vulnerability is not the same as a traditional bug that can be repaired with a software patch, and BLE-based authentication was not intended for usage in locking mechanisms.

SpringShell Attacks Target About One in Six Vulnerable Orgs

 

According to figures from one cybersecurity firm, about one out of every six firms affected by the Spring4Shell zero-day vulnerability has already been targeted by threat actors. 

The exploitation attempts occurred within the first four days of the severe remote code execution (RCE) issue, CVE-2022-22965, and the associated attack code was publicly disclosed. 37,000 Spring4Shell attacks were discovered over the weekend alone, according to Check Point, which generated the statistics based on their telemetry data. Software vendors appear to be the most hit industry, accounting for 28% of the total, possibly due to their high vulnerability to supply chain threats. 

Based on their visibility, Check Point ranks Europe #1 in terms of the most targeted region, with 20%. This suggests that the malicious effort to exploit existing RCE possibilities against vulnerable systems is well underway, and threat actors seem to be turning to Spring4Shell while unpatched systems are still exposed. North America accounts for 11% of Check Point's detected Spring4Shell attacks, while other entities have confirmed active exploitation in the United States. 

Spring4Shell was one of four flaws posted to the US Cybersecurity & Infrastructure Security Agency's (CISA) inventory of vulnerabilities known to be used in actual attacks yesterday. The agency has uncovered evidence of attacks on VMware products, in which the software vendor published security upgrades and alerts. 

Microsoft also released guidelines for detecting and preventing Spring4Shell attacks, as well as a statement that they are already analyzing exploitation attempts. Spring MVC and Spring WebFlux apps operating on JDK 9+ are affected by CVE-2022-22965, hence all Java Spring installations should be considered potential attack vectors. Spring Framework versions 5.3.18 and 5.2.2, as well as Spring Boot 2.5.12, were published by the vendor to address the RCE issue. 

As a result, upgrading to these versions or later is strongly advised. System administrators should also be aware of the remote code execution vulnerabilities in the CVE-2022-22963 and CVE-2022-22947 remote code execution flaws in the Spring Cloud Function and Spring Cloud Gateway. These flaws already have proof-of-concept exploits that are publicly available.

CISA: High-Severity Flaws in Schneider & GE Digital's SCADA Software

 

Schneider Electric's Easergy medium voltage protection relays are vulnerable to several vulnerabilities, according to the advisory by US Cybersecurity and Infrastructure Security Agency (CISA). 

The agency said in a bulletin on February 24, 2022, "Successful exploitation of these vulnerabilities may disclose device credentials, cause a denial-of-service condition, device reboot, or allow an attacker to gain full control of the relay. This could result in loss of protection to your electrical network."

Easergy P3 versions prior to v30.205 and Easergy P5 versions before v01.401.101 are affected by the two high-severity flaws. The following are the weaknesses in detail: 
  • CVE-2022-22722 (CVSS score: 7.5) - Use of hardcoded credentials that could be used to monitor and alter device traffic with the device.
  • CVE-2022-22723 and CVE-2022-22725 (CVSS score: 8.8) – A buffer overflow vulnerability that could lead to programme crashes and execution of arbitrary code by sending specially crafted packets to the relay over the network. 

Schneider Electric patched the weaknesses detected and reported by Red Balloon Security researchers Timothée Chauvin, Paul Noalhyt, and Yuanshe Wu as part of updates released on January 11, 2022. The alert comes less than ten days after CISA released another alert warning of several key vulnerabilities in Schneider Electric's Interactive Graphical SCADA System (IGSS) that, if exploited, could lead to data disclosure and loss of control of the SCADA system with IGSS running in production mode. 
 
In similar news, the US Federal Bureau of Investigation has issued a security alert for General Electric's Proficy CIMPLICITY SCADA software, alerting of two security flaws that might be exploited to expose sensitive information, gain code execution, and escalate local privileges. 

The advisories follow a report from industrial cybersecurity firm Dragos that discovered that 24 per cent of the total 1,703 ICS/OT vulnerabilities reported in 2021 had no fixes available, with 19 per cent having no mitigation, restricting operators from taking any steps to protect their systems from potential threats. 

Dragos also discovered malicious activity from three new groups that were discovered attacking ICS systems last year, including Kostovite, Erythrite, and Petrovite. Each of which targeted the OT environments of renewable energy, electrical utility, and mining and energy firms in Canada, Kazakhstan, and the United States.

SquirrelWaffle Adds a Spin of Fraud to Exchange Server Malspamming

 

Squirrelwaffle, ProxyLogon, and ProxyShell are being utilized against Microsoft Exchange Servers to conduct financial fraud via email hijacking. Sophos researchers revealed that a Microsoft Exchange Server that had not been fixed to safeguard it against a set of serious vulnerabilities identified last year was used to hijack email threads and disseminate malspam. 

On March 2, 2021, Microsoft released emergency updates to address zero-day vulnerabilities that could be exploited to take over servers. At the time, Hafnium, an advanced persistent threat (APT) group, was constantly exploiting the bugs, and other APTs swiftly followed suit. Despite the fact that the ProxyLogon/ProxyShell flaws are now widely known, some servers remain unpatched and vulnerable to assaults. 

Sophos has described an instance that combined Microsoft Exchange Server vulnerabilities with Squirrelwaffle, a malware loader that was first discovered in malicious spam operations last year. Malicious Microsoft Office documents or DocuSign content tacked on to phishing emails are frequently used to spread the loader. Squirrelwaffle is frequently used to fetch and execute CobaltStrike beacons via a VBS script if an intended victim has permitted macros in the compromised documents. 

According to Sophos, the loader was used in the recent campaign once the Microsoft Exchange Server had been compromised. By hijacking existing email threads between employees, the server of an undisclosed organisation was utilised to "mass distribute" Squirrelwaffle to internal and external email addresses. 

Email Hijacking can take a variety of forms. Social engineering and impersonation, such as an attacker posing as an executive to dupe accounting departments into signing off on a fraudulent transaction, or sending email blasts with links to malware payloads, can disrupt communication channels. The spam campaign was utilized to disseminate Squirrelwaffle in this example, but attackers also extracted an email thread and used the internal knowledge contained within to execute financial fraud. Customer information was obtained, and a victim organization was chosen. The attackers generated email accounts using a domain to reply to the email thread outside of the server, using a technique known as typo-squatting to register a domain with a name that was very similar to the victim. 

Sophos explained, "To add further legitimacy to the conversation, the attackers copied additional email addresses to give the impression that they were requesting support from an internal department. In fact, the additional addresses were also created by the attacker under the typo-squatted domain." 

The attackers attempted for six days to divert a legitimate financial transaction to a bank account they owned. The money was about to be processed, and the victim escaped the attack only because a bank involved in the transaction realized the transfer was most likely fake. 

Matthew Everts, Sophos researcher commented, "This is a good reminder that patching alone isn't always enough for protection. In the case of vulnerable Exchange servers, for example, you also need to check the attackers haven't left behind a web shell to maintain access. And when it comes to sophisticated social engineering attacks such as those used in email thread hijacking, educating employees about what to look out for and how to report it is critical for detection."

IP Spoofing Flaw Leaves Django REST Applications Vulnerable to DDoS Attacks

 

Attackers used an IP spoofing flaw in Django REST to bypass the framework's throttling function, which is designed to protect apps from mass requests. 

Mozilla, Red Hat, and Heroku, among others, use Django REST as a toolkit for constructing web APIs. It includes a throttling function that limits the number of API queries a client may make. Bot activity, denial-of-service attacks, and malicious actions such as brute-force attempts on login sites, one-time passwords, and password reset pages are all protected by this feature. 

IP addresses are used by Django REST to recognize clients and implement throttling request restrictions. Clients can, however, deceive the server and hide their IP address, according to security researcher Hosein Vita. 

He told The Daily Swig, “Django use WSGI (web server gateway interface) to communicate with web application and X-Forwarded-For HTTP header and REMOTE_ADDR WSGI variable are used to uniquely identify client IP addresses for throttling.” 

As a result, if the X-Forwarded-For header is included in a web request, the server will interpret it as the client's IP address. Vita was able to submit an endless number of requests with the same client by changing the X-Forwarded-For value. The approach only works for unauthenticated queries, according to Vita's bug report. 

APIs that require user authentication take both the user’s ID and the IP address into account when throttling, so IP spoofing is not enough to circumvent the request limits. According to Vita, the attack requires no specific server access, and an attacker who "can just see the website can abuse this method. 

Its immediate impact could be DDoS attacks caused by fraudulent requests flooding Django servers. However, it can also be used for other objectives, such as bypassing login page defences against brute-force attacks. Vita apparently identified the flaw while pen-testing an app with a one-time password login page. 

He stated, “You could log in [to the application] with OTP but I got blocked after many attempts. After my research, I used X-Forwarded-For header, and again I could send requests but after some attempts, again I got blocked.” 

The researcher added: “From my previous background in Django, I guessed it could get bypassed by changing the value of X-Forwarded-For header, and you could send 30 requests with each IP. Then I checked that in my Django API and it was correct.” 

The Django REST team was contacted by The Daily Swig for comment on the vulnerability. Meanwhile, Vita suggests using complementary strategies to protect applications from brute-force attacks. 

He added, “Always use other aspects of security measures as secondary methods. Use Captcha or other related methods to reduce attacks like this in important endpoints. For OTPs, use a token for each generated OTPs.”

The Log4j Incident Demonstrated Again That Publicly Disclosing 0-day Vulnerabilities Only Aids Intruders

 

On December 9, 2021, a (now-deleted) tweet pointing to a 0-day proof of concept (PoC) exploit for the Log4Shell vulnerability on GitHub set the internet ablaze, sending businesses rushing to mitigate, patch, and patch again as other PoCs surfaced. 

Public vulnerability disclosure – that is, revealing to the world the existence of a bug in a piece of software, a library, an extension, or another piece of software, and releasing a proof-of-concept (PoC) that exploits it – occurs frequently for vulnerabilities in a wide range of software, from the most esoteric to the most mundane (and widely used). 

Threat actors are the only ones who benefit from the public disclosure of 0-day PoCs, as per research and experience, because it puts enterprises in the awkward position of needing to remediate the issue without having anything solid to mitigate it with (i.e., a vendor's patch). 

There are several different types of responsible vulnerability disclosure systems available today. Some companies have an official vulnerability disclosure programme while others arrange and operate it through crowdsourced platforms. Companies typically offer money for information concerning flaws in their products (also known as "bug bounties"). 

Those disclosures usually follow a set of steps, and vendor patches have clearly stated release dates so that users have plenty of time to install them (90 days is the accepted standard for this). 

When the Log4Shell vulnerability was announced publicly, the disclosure procedure was already underway (as evidenced by the pull request on GitHub that appeared on November 30). The following is the timeline of the disclosure, according to information provided by the Apache Software Foundation:
  • November 24: The Log4j maintainers were informed 
  • November 25: The maintainers accepted the report, reserved the CV, and began researching a fix November 26: The maintainers communicated with the vulnerability reporter 
  • November 29: The maintainers communicated with the vulnerability reporter December 4: Changes were committed 
  • December 5: Changes were committed 
  • December 7: First release candidate created 
  • December 8: The maintainers communicated with the vulnerability reporter, made additional fixes, created a second release candidate 
  • December 9: Patch released 
While user comments on the Apache Log4j GitHub project page expressed dissatisfaction with the timeliness of the update, this is to be expected when it comes to patching vulnerabilities - as everyone keeps pointing out, after all, the patch was developed by volunteers. 

Probable reasons for releasing PoC 

There could be valid and logical reasons for releasing a 0-day proof-of-concept. The most prevalent of these is the breakdown of the vulnerability disclosure process: the vendor may not be or cease to be responsive, may judge the vulnerability to be minor enough to warrant a repair, or may take too long to fix it – or any combination of the above. 

In situations like these, security researchers frequently decide to make the PoC public for the "common good," i.e. to force vendors to release a patch quickly. Other factors could include publicity (especially if the researcher is associated with a security vendor) – nothing attracts more press attention than zero-day proof-of-concept exploits for a widely used piece of software, especially if no patch is available. 

However, it should be noted that the evidence against publishing proof-of-concept exploits is now substantial and overwhelming. According to a study conducted by Kenna Security, sharing proof-of-concept attacks mostly assists attackers. A presentation at Black Hat several years ago walked through the lifecycle of zero-days and how they were released and exploited, demonstrating that if proof-of-concept exploits aren't publicly disclosed, the vulnerabilities in question aren't discovered for an average of 7 years by anyone else (threat actors included).

Unfortunately, during the log4j scramble, this was discovered a little too late. Although the initial tweets and disclosures were quickly withdrawn, the harm had already been done. Even the most recent revelation, which resulted in the release of patch 2.17.1, generated so much criticism from the security community that the researcher apologized publicly for the publication's bad timing. 

It's encouraging to see that public disclosure of PoC exploits is becoming more common. Researchers who choose to jump the gun need to be criticized, but all must all work together to ensure that more rigorous disclosure mechanisms are in place for everyone so that the public PoC scenario is avoided the next time a vulnerability like Log4Shell is uncovered.

Telegram Exploited by Attackers to Spread Malware

 

Researchers discovered that cybercriminals are using the Echelon info stealer to attack the crypto-wallets of Telegram users in an attempt to deceive new or naïve members of a cryptocurrency discussion group on the messaging network. 

Researchers from SafeGuard Cyber's Division Seven threat analysis section discovered a sample of Echelon in a cryptocurrency-focused Telegram channel in October, according to an investigation published on Thursday. 

The malware used throughout the campaign is designed to exploit credentials from a variety of messaging and file-sharing channels, such as Discord, Edge, FileZilla, OpenVPN, Outlook, and even Telegram itself, as well as a variety of cryptocurrency wallets, which include AtomicWallet, BitcoinCore, ByteCoin, Exodus, Jaxx, and Monero. 

The campaign was a “spray and pray” effort: “Based on the malware and how it was posted, SafeGuard Cyber believes that it was not part of a coordinated campaign, and was simply targeting new or naïve users of the channel,” according to the report. 

Researchers discovered that attackers had been using the handle "Smokes Night" to disseminate Echelon on the channel, although it's unknown how successful they were. "The post did not appear to be a response to any of the surrounding messages in the channel," they added.

According to the researchers, additional users on the channel didn't even appear to detect anything strange or engage with the post. However, this does not imply that the malware did not reach consumers' devices, according to the experts. 

“We did not see anyone respond to ‘Smokes Night’ or complain about the file, though this does not prove that users of the channel did not get infected,” they wrote. 

The Telegram messaging platform has undoubtedly become a hotspot of activity for hackers, who've already taken advantage of its popularity and large attack surface by distributing malware on the network via bots, rogue accounts, and other methods.

Echelon was delivered to the cryptocurrency channel in the form of a.RAR file called "present).rar," which contained three files: "pass – 123.txt," a benign text document comprising a password; "DotNetZip.dll," a non-malicious class library and toolset for manipulating.ZIP files; and "Present.exe," the malicious executable for the Echelon credential stealer. 

The.NET payload also featured numerous characteristics that made it hard to identify or analyze, such as two anti-debugging capabilities that immediately terminate the process if a debugger or other malware analysis techniques are identified, and obfuscation utilizing the open-source ConfuserEx program. 

According to the researchers, additional characteristics of the malware include computer fingerprinting and the ability to take a screenshot of the victim's workstation. According to the researchers, the Echelon sample taken from the campaign uses a compressed.ZIP file to deliver passwords as well as other stolen data and screenshots back to a command-and-control server.

NSO Zero-Click iPhone Exploit Termed 'Incredible and Terrifying' by Researchers

 

Google has described how the surveillance firm NSO Group created an exploit that would allow the user of their software to acquire entry to an iPhone and install malware – and all without the victim ever clicking on a link. 

The US Department of Commerce put NSO Group on its "entity list" last month, effectively barring it from US marketplaces given the evidence that it provided spyware to other authorities, which used it to attack government officials, journalists, entrepreneurs, activists, academics, and embassy workers. Apple issued a permanent injunction prohibiting NSO from using any of its software, applications, or equipment in late November. 

Google's Project Zero (GPZ) has now assessed a comparatively new NSO 'zero-click' attack for iOS 14.7.1 and older, calling it "one of the most technically sophisticated exploits we've ever seen". 

The NSO's exploit was regarded as "incredible" and "terrifying" by GPZ's Ian Beer and Samuel Groß. The hack generates a "weird" emulated computing atmosphere within an iOS element that manages GIFs but does not ordinarily allow scripting. Nevertheless, this exploit allows the attacker to execute JavaScript-like code in that component to write to arbitrary memory regions - and therefore remotely hack an iPhone. 

Citizen Lab, a Canadian security firm, revealed the problem to Apple as part of its collaborative investigation with Amnesty International into NSO's Pegasus mobile spyware program, which can be loaded after jailbreaking an iPhone via an exploit. 

This September, Apple fixed the memory corruption flaw in the CoreGraphics component, identified as CVE-2021-30860, in iOS 14.8. 

GPZ's Beer and Groß said it showed "the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation-states". 

 iMessage is the first point of contact for Pegasus on the iPhone. According to the research, this means that a person can be targeted simply by providing their phone number or AppleID username. 

The flaw in iMessage is due to the extra functionalities Apple allowed for GIF pictures. In iOS's ImageIO library, Apple employs a "fake gif" method to make standard GIF images loop indefinitely. This method also introduces over 20 more image codecs, providing attackers with a far bigger surface to attack. 

"NSO uses the "fake gif" trick to target a vulnerability in the CoreGraphics PDF parser," Beer and Groß explain. 

NSO discovered that powerful tool in Apple's usage of the JBIG2 standard for image compression and decompression. Originally, the standard was utilized in outdated Xerox scanners to efficiently convert photos from paper into PDF files only a few kilobytes in size. 

The emulated database design, which relied on the JBIG2 part of Apple's CoreGraphics PDF parser, was one of several clever methods NSO devised. Despite JBIG2's lack of scripting features, they were able to write to arbitrary memory addresses using an emulated computer environment and a scripting language similar to JavaScript. 

"JBIG2 doesn't have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory," explains Beer and Groß. 

"The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying."

Magecart Attacks Surge in the Wild

 

According to a Cyberpion study, several of the world's top corporations in retail, finance, healthcare, power, and many other industries, including Fortune 500, Global 500, and governments, are struggling to avoid Magecart assaults. Magecart is a term used to describe a type of cyber attack wherein cybercriminals compromise third-party code (typically Javascript that runs in browsers) to grab, or scrape, details such as credit card information from web applications (e.g., online checkout software) or webpages that incorporate the code. 

Over the previous two years, the researchers examined over 30,000 flaws and discovered huge shortcomings in existing security platforms and mechanisms for detecting and mitigating Magecart assaults. 

There have also been significant gaps in firms revealing to their customers' security vulnerabilities or exploits happening throughout their digital supply chains, putting all linked organizations at risk of a breach. 

“Our conclusion from the analysis is that as of today, organizations fail to face Magecart threats and detect the vulnerabilities and exploits that hackers leverage to conduct these attacks,” said Cyberpion CEO Nethanel Gelernter. 

“Victims are often the last to know as it’s only later that organizations find that their data was sold or exploited, with the problem extending beyond any single vendor or client relationship. For enterprises, in particular, Magecart attacks pose a significant challenge because it is problematic to set up a solution at scale.” 

Alongside Web, skimming has also been on the surge. It is indeed a danger to online businesses and customers, with cyberattacks significantly affecting firms such as British Airways and Ticketmaster in 2018, Forbes in 2019, as well as local US government portals and messaging app Telegram in 2020. 

At least one of the top five firms in a variety of industries – retail, insurance, financial services, pharma, media, security, and others – were discovered to be susceptible or exploited. And over 1000 online stores are exposed, putting their consumers at risk of being skimmed. Many of the most widely circulated worldwide newspapers were discovered to be susceptible, frequently via their main page. 

Some weak or mistreated businesses deploy anti-Magecart solutions, however, they may be circumvented. Vendor architecture exposes numerous other linked businesses to Magecart, but suppliers frequently fail to notify customers early enough so that preventative action may be taken. In one example, a major internet advertising network impacted 15 worldwide insurance firms, as well as hundreds of smaller businesses.

Linux Foundation Patches Critical Critical Code Vulnerability

 

CVE-2021-43267 vulnerability is detailed as a heap overflow Transparent Inter-Process Communication (TIPC) module shipping with Linux kernels to let nodes in a group communicate with each other in a fault-proof way. 'While TIPC itself isn’t loaded automatically by the system and has to be enabled by end users, Van Amerongen said the ability to configure it from an unprivileged local perspective and the possibility of remote exploitation "makes this a dangerous vulnerability" for those that use it in their networks," reports Security Week. 

The flaw can be abused either locally or via remote code execution within a network framework to get kernel privileges, which allows a hacker to exploit an entire system. Experts discovered a bug in most attacks that used Microsoft's CodeQL, an open-source semantic code analysis engine that assists to identify security flaws. As per the experts, the flaw surfaced in the Linux kernel in September last year, after a MSG_CTYPTO (a new message type) was included to let actors distribute cryptographic codes. 

While investigating the code, expert Van Amerongen discovered a “clear-cut kernel heap buffer overflow," along with remote code execution hints. , Vulnerable TIPC module is loaded with main Linux distributions, however, it requires loading in order to trigger the vulnerability and enable the protocol. A patch was shipped by Linux foundation on October 29, confirming the existing vulnerability which affects kernel variants between 5.10 and 5.15. 

As per cybersecurity firm Sentinel One, it hasn't found any proof of vulnerability exploits in the wild. “This vulnerability can be exploited both locally and remotely. While local exploitation is easier due to greater control over the objects allocated in the kernel heap, remote exploitation can be achieved thanks to the structures that TIPC supports. As this vulnerability was discovered within a year of its introduction into the codebase, TIPC users should ensure that their Linux kernel version is not between 5.10-rc1 and 5.15,” says cybersecurity expert Van Amerongen.

Google Releases New Android Fixes, Warns Users of Dangerous Zero Day Vulnerabilities

 

Google recently released its monthly security patches for Android with patches for 39 flaws, which also includes a zero-day vulnerability which it said is currently being exploited in the open in targeted, limited attacks. Known as CVE-2021-1048, the zero-day vulnerability is known as a use-after-free vulnerability in the kernel that can also be exploited for local escalation privileges. These vulnerabilities can be dangerous as they can allow an attacker to get access or reference memory once it has been freed, which leads to a 'write what where' situation resulting in the implementation of arbitrary code to get access over the target's device. 

There are hints that CVE-2021-1048 may be under restricted, specific exploit, said the company in its November notification without unveiling any technical information of the flaw, the nature of the exploit, and attackers' identity that may have exploited the vulnerability. Security patches also fixed two other RCE (critical remote code execution) flaws, CVE-2021-0918 and CVE-2021-0930, in the device component, allowing remote threat actors to launch malicious codes with the assistance of privileged mechanisms via sending a specifically built transmission to attack victim targets. 

"Two more critical flaws, CVE-2021-1924 and CVE-2021-1975, affect Qualcomm closed-source components, while a fifth critical vulnerability in Android TV (CVE-2021-0889) could permit an attacker in close proximity to silently pair with a TV and execute arbitrary code with no privileges or user interaction required," reports the hacker news. As per the latest Google security patches, it identified a total of six zero-day vulnerabilities from January 2021 in the android devices. 

Google says security vulnerabilities that are documented in this security bulletin are required to declare the latest security patch level on Android devices. Additional security vulnerabilities that are documented in the device / partner security bulletins are not required for declaring a security patch level. Android device and chipset manufacturers may also publish security vulnerability details specific to their products, such as Google, Huawei, LGE, Motorola, Nokia, or Samsung. To know in detail about Google's security patches released recently, readers can visit Google's source website. Stay updated with Cy Security to know more.

Threat Actors Exploit Chrome to Deliver Malware as Windows 10 App

 

Hackers that launched a recently discovered malware campaign are attacking Windows 10 with a malware which could infect systems with a process which evades Windows cybersecurity protections known as User Account Control (UAC). "Researchers couldn’t retrieve the payload files from the sample that they analyzed because they were no longer present when they investigated. However, they used samples from VirusTotal to peer under the hood," reports ThreatPost. Rapid7 cybersecurity experts discovered the campaign and warned the goal of hackers is to extract out personal data and steal cryptocurrency from infected victim PC.
According to experts, malware is very persistent on PC, exploiting the Windows environment variable and a local scheduled task to make sure it constantly executes with extra privileges. The attack chain initiates when a Chrome browser user opens a malicious site, followed by opening of a "browser ad service" which requests the user to take some action. However, it isn't confirmed what the experts mean by 'browser ad service.' The end goal of the hacker is to steal data using info-stealer malware, stolen data includes browser credentials and cryptocurrency. 

Besides this, other suspicious activities include stopping browser update and creating a system situation suitable for arbitrary commands execution. Hackers have been using a compromised site particularly built for to abuse a Chrome browser version (that runs on windows 10) to provide malicious payloads. The investigations of user chrome browser also showed redirects to various malicious domains and other suspicious redirect chains prior to the first stage infection. 

"Upon further analysis, researchers found that birchlerarroyo[.]com presented a browser notification requesting permission to show notifications to the user. This as well as a reference to a suspicious JavaScript file in its source code led theRapid7 team to suspect that it had been compromised, Iwamaye said.It’s unclear from the research, why or how a user would be coaxed into permitting the site to send notification requests via the Chrome browser. However, once notifications were permitted the browser user was alerted that their Chrome web browser needed to be updated," reports ThreatPost.

Data of 200,000 Shareholders Exposed due to a Vulnerability in the BrewDog App

 

BrewDog allegedly leaked the personal identifying information (PII) of around 200,000 shareholders for the better part of 18 months, according to experts. BrewDog "declined to inform their shareholders and asked not to be named" in the investigation that revealed the system vulnerabilities, according to PenTestPartners. 

The Scottish brewery incorporated a hard-coded Bearer authentication token associated with API endpoints targeted for BrewDog's mobile applications, according to the cybersecurity company. 

These tokens were delivered, however, this verification step was skipped because it was hardcoded to be activated after a user entered their credentials, providing access to an endpoint. 

Members of PenTestPartners, who also happened to be BrewDog stockholders, added one another's customer IDs to API endpoint URLs. During testing, they discovered that without an appropriate identification issue, they could access the PII of Equity for Punks stockholders. 

Identities, birth dates, email addresses, gender identities, contact information, prior delivery addresses, shareholder numbers, shares owned, referrals, and other information were all available in the leak. The customer IDs, however, were not regarded as "sequential." 

"An attacker could brute force the customer IDs and download the entire database of customers," the researchers said. "Not only could this identify shareholders with the largest holdings along with their home address, but it could also be used to generate a lifetimes supply of discount QR codes!" Hard-coding authentication tokens, according to PenTestPartners, are a failure to fulfill these criteria since some of the PII exposed falls within the GDPR security banner. 

The bug has been there since March 2020, since BrewDog's app version 2.5.5 introduced hard-coded tokens. However, BrewDog's team was unaware of the vulnerability for a long time and failed to protect their token system in later releases.

The problem was eventually resolved in version 2.5.13, which has been released on September 27, 2021. BrewDog, on the other hand, elected not to reveal anything significant in the release's changelog announcement. 

"The vulnerability is fixed," the researcher says. "As far as I know, BrewDog has not alerted their customers and shareholders that their details were left unprotected on the internet. I worked with BrewDog for a month and tested six different versions of their app for free. I'm left a bit disappointed by BrewDog both as a customer, a shareholder, and the way they responded to the security disclosure." 

BrewDog also told that: "BrewDog was notified of a vulnerability and the potential for data to be compromised. Investigations found no evidence that it was. Therefore there is no requirement to inform the ICO. An independent party documented the case as is required by the ICO." 

However, the corporation will also have to notify the UK's data protection officer due to the type of personal information exposed, as PII falls under GDPR, which is still in effect in the country.

Researchers Make Contactless Visa Payment Using iphone Flaw

 

Cybersecurity experts in a video showed how to make a contactless Visa payment of €1,000 from a locked iphone. These unauthorised payments can be made while the iPhone is locked, it is done via exploiting an Apple Pay feature built to assist users transaction easily at ticket barriers payments with Visa. 

Apple responded by saying the problem is concerned with a Visa system. However, Visa says that its payments are safe and the such attacks lie outside of its lab and are impractical. Experts believe that the problem exists in the Visa cards setup in 'Express Transit' mode in iPhone wallet. 

It is a feature (express transit) which allows users to make fast contactless payments without unlocking their phone. However, the feature turned out to be a drawback with Visa system, as experts found a way to launch an attack. While scientists demonstrated the attack, the money debited was from their personal accounts. 

How does the attack look? 

  • A small radio is placed beside the iPhone, the device thinks of it as a legit ticket barrier. 
  • Meanwhile an android phone runs an application to relay signals (developed by experts) from the iPhone to a contactless transaction platform, it could be in a shop or a place that is controlled by the criminal. 
  • As the iPhone thinks the payment is being done to a ticket barrier, it doesn't unlock. 
However, the iPhone's contact with the transaction platform is altered to make it think that the iPhone has been unlocked and an authorized payment is done which allows high value payments, without the need of fingerprint, PIN, or Face Id verification. 

The experts while demonstrating in a video did a €1,000 Visa transaction without unlocking the iPhone, or authorizing the payment. According to experts, the payment terminals and android phones used here don't need to near the targeted iPhone. 

As of now, the demonstration has only been done by experts in the lab and no reports of the feature exploit in the wild have been reported. "The researchers also tested Samsung Pay, but found it could not be exploited in this way.They also tested Mastercard but found that the way its security works prevented the attack. 

Co-author Dr Ioana Boureanu, from the University of Surrey, said this showed systems could be "both usable and secure". The research is due to be presented at the 2022 IEEE Symposium on Security and Privacy," reports BBC.

Google Released 41 Security Updates, Severity High and Critical

 

Google issued latest Android October security patches, fixing 41 vulnerabilities, of high and critical severity. Every month, Google issues security patches for Android OS consisting vendor fixes and framework for the month. The current update includes patches for 10 vulnerabilities which were addressed in the 2021-10-01 Security patch level, which was released earlier this week. The flaws with high severity patched October's DoS (Denial of Service), remote code executions, information disclosure issues, and elevation of privilege. Three critical severity vulnerabilities in the update are termed as: 
  • CVE-2020-11301: A critical vulnerability impacting Qualcomm's WLAN parts, concerned with unencrypted (simple text) frames acceptance on secure networks. 

  • CVE-2020-11264: A critical vulnerability impacting Qualcomm's WLAN parts, concerned with non-EAPOL/WAPI frames acceptance from malicious source retrieved in IPA exception pathways. 

  • CVE-2021-0870: Remote Code execution vulnerability in android OS, which allows threat actor to deploy arbitrary codes related to the privileged process. 

The 41 vulnerabilities released this month have not been exploited according to experts, therefore users can be assured of no vulnerability exploits running in the wild. Earlier devices which are incompatible with the current security updates are more susceptible to attacks, because this month's security patches can be a golden opportunity for hackers to deploy exploits in the future. One should note that, Android OS security patches are not limited to android variants, the latest updates are concerned with android versions 8.1 to 11. 

Similarly, the OS variant isn't a deciding factor for to know whether your device is compatible. If the user is sure that his device has reached the EOL date, he can install a third party android distribution that would provide monthly security updates for the device, or replace it with a new version. "Android fans have been eagerly waiting for the release of version 12, which was rumored for October 4, 2021, but what they got instead was the source of Android 12 pushed to the Android Open Source Project" reports Bleeping Computers. The last step highlights that the actual release is not far away, and OTA update news could be supported for Pixel device.

Republican Governors Association Targeted in Microsoft Exchange Server Attacks

 

The Republican Governors Association was one of many U.S. organizations attacked in March when a nation-state group exploited vulnerabilities in Microsoft Exchange email servers, according to a breach notification letter filed with the Maine attorney general's office this week.  

For companies worldwide, the situation became a cause of concern; nearly 500 persons linked with the RGA's personal information might have been exposed due to the assault. According to the organization's attorney, personal information includes social security numbers. 

The RGA was notified of the breach on March 10, eight days after Microsoft made the campaign public. At this time, it's highly uncertain who is to blame for the breach and what happened to the data compromised. 

Microsoft exchange server attack’s fallout: 

This incident is the latest fallout to arise from the massive breach of the Microsoft Exchange Server earlier this year. The breach was connected to hacker organizations supported by the Chinese government. A computer exploit made the vulnerabilities public, allowing opportunistic fraudsters to launch a large-scale attack. 

According to the RGA, on February 28, hackers hacked into “a small portion of [its] email work environment". It went on to say that it only discovered the hacking campaign on March 10, eight days after Microsoft made a public announcement about it. 

The RGA's spokesman declined to elaborate on specifics of the breach, such as about the offenders and the damage. It further said it was “unable to determine what personal information, if any, was impacted as a result of the incident.”

The US skeptical of China's role in the Microsoft hack

After the cyberattack, the RGA stated it upgraded its Microsoft software. China was blamed by the US government for its participation in the Microsoft Exchange attack in July. As a response, the United Kingdom and the European Union-backed the United States' condemnation of China. 

Four Chinese nationals were also charged with criminal charges by the US Department of Justice. 

As per security experts, tens of thousands of US state and local companies were using vulnerable software at the height of the Exchange Server attack. However, many companies were able to safeguard themselves by installing a software update. 

The US National Security Council has gathered numerous times since the event, urging corporations to amp up their cyber defenses. Businesses in countries other than the United States were also affected by the attack. This includes Europe, where the European Union's financial authority, the Norwegian parliament, and two German government bodies have all been attacked. 

In accordance with the country's cybersecurity body, it also affected a considerable number of companies in Australia.

Precautionary Measures: 

The Republican Governors Association states that since the assault was identified in March, it has implemented the Microsoft updates for the vulnerable versions of its on-premises Exchange server. According to the letter, law enforcement and other organizations have also been alerted. 

The credit monitoring services are also being given to the approximately 500 persons impacted by the assault. 

"Out of an abundance of caution, RGA is also offering you two years of complimentary credit monitoring and identity restoration services with Experian." 

"RGA has also notified the Federal Bureau of Investigation, certain state regulators, and the consumer reporting agencies of this incident as required."

Vulnerabilities Found In Moxa Railway Devices, Can Cause Disruption

 

Railway and other wireless communication devices developed by Moxa have been affected by 6p vulnerabilities. Moxa is a Taiwan based industrial networking and automation firm. Earlier this week, cybersecurity firm SEC (owned by Atos) revealed that an expert at SEC found two new flaws in Moxa devices along with various out of date third party software components filled with flaws. 

As per the experts, Moxa devices are infected with a Command injection vulnerability that can be abused by an authenticated actor to hack the device's OS (operating system) (CVE-2021-39279), along with a reflected XSS (cross site scripting) flaw which can be exploited using a special configuration file (CVE-2021-39278). Besides this, the products are affected by an estimated 60 other vulnerabilities in third party softwares like GNU C Library, Dropbear SSH software, BusyBox client, Open SSL, and Linux Kernel. Moxa has released two different reports for the Vulnerabilities. 

The Security Week reports "one of them describes the impact on TAP-323, WAC-1001 and WAC-2004 series devices, which are designed for railways. The TAP-323 device is a trackside wireless access point designed for train-to-ground wireless communications, while the WAC devices are described as rail wireless access controllers." It is also building patches for the Tap-323 and WAC-1001 products, however, WAC-2004 series devices are discontinued and the seller has asked customers to take precautions for reducing the risk of exploitation. 

According to Thomas Weber, the researcher at SEC who found about the vulnerability in Moxa, currently no analysis has been done to check whether the XSS and command injection flaws can be constrained, however, it might be possible. A hacker would have to fool an authenticated user into opening a link which would enable the XSS to steal necessary information to get verified on system and exploit the command injection. 

Experts are not sure about the damage that an attacker can cause, but it all depends on the critical messages sent through the devices. "If an attacker gains access to the web-based management interface of the affected devices and they obtain login credentials — the login credentials could be obtained through various methods — they would be able to take over the whole device with persistent access," says the security week.

Attackers Remotely Exploit Bugs in Linphone Session Initiation Protocol (SIP) Stack

 

A team of researchers recently revealed data regarding a zero-click security vulnerability in the Linphone Session Initiation Protocol (SIP) stack that may have been effectively abused without even any effort from the victim's side to corrupt the SIP client as well as trigger a denial-of-service (DoS) situation. 

Linphone is a 20-year-old open-source voice-over IP (VoIP) project that claims to have been the first open-source software on Linux to use the Session Initiation Protocol (SIP). Its SIP software is used by developers and programmers to create communication systems that incorporate instant messaging, audio, and video. It is developed and maintained by France-based Belledonne Communications. 

The flaw, identified as CVE-2021-33056 (CVSS score: 7.5) by researchers, is a NULL pointer dereference vulnerability in the "belle-sip" component, a C-language library that is used to construct SIP transport, transaction, and dialogue layers, with all generations previous to 4.5.20 compromised by the bug. Claroty, an industrial cybersecurity firm, detected and reported the flaw.

To a certain end, the remotely manipulable security flaw can be enabled by appending a malevolent forward-slash ("</") to a SIP message header such as To (the call recipient), From (the call initiator), or Diversion (redirect the destination endpoint), culminating in a collapse of the SIP client program that uses the belle-sip library to manage and parse SIP messages. 

This bug is a zero-click vulnerability, as submitting an INVITE SIP request with a particularly designed From/To/Diversion header leads the SIP client to crash. As a result, any application that uses belle-sip to examine SIP messages will become inaccessible if a fraudulent SIP "call." is received. 

"Successful exploits targeting IoT vulnerabilities have demonstrated they can provide an effective foothold onto enterprise networks," Brizinov said. "A flaw in a foundational protocol such as the SIP stack in VoIP phones and applications can be especially troublesome given the scale and reach shown by attacks against numerous other third-party components used by developers in software projects." 

Furthermore, the latest updates for the core protocol stack have been released, companies who depend on the impacted SIP stack in their products must apply the changes downstream.